From 7df9d7ef4f6ebef240532884cb5b3a3c59f55775 Mon Sep 17 00:00:00 2001
From: Rustam Efimov <rus07tam+contact@ruject.fun>
Date: Tue, 14 Apr 2026 21:47:04 +0300
Subject: [PATCH] feat(services/synapse): simplify reverse proxy

---
 services/synapse/nginx.nix | 66 ++++++--------------------------------
 1 file changed, 9 insertions(+), 57 deletions(-)

diff --git a/services/synapse/nginx.nix b/services/synapse/nginx.nix
index ffc30a7..bc28321 100644
--- a/services/synapse/nginx.nix
+++ b/services/synapse/nginx.nix
@@ -8,11 +8,7 @@ in
 
   services.nginx = {
     appendHttpConfig = ''
-      limit_req_zone $binary_remote_addr zone=matrix_login:10m rate=1r/s;
-      limit_req_zone $binary_remote_addr zone=matrix_register:10m rate=1r/m;
-      limit_req_zone $binary_remote_addr zone=matrix_api:10m rate=20r/s;
-      limit_req_zone $binary_remote_addr zone=matrix_media:10m rate=10r/s;
-      limit_req_zone $binary_remote_addr zone=matrix_federation:10m rate=50r/s;
+      limit_req_zone $binary_remote_addr zone=matrix:10m rate=50r/s;
       limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
     '';
     upstreams."matrix-synapse".servers = {
@@ -23,65 +19,21 @@ in
       enableACME = true;
 
       locations = {
-        # Synapse client API
-        "/_matrix/client" = {
+        "^~ /_matrix" = {
           proxyPass = "http://127.0.0.1:${toString port}";
           extraConfig = ''
-            limit_req zone=matrix_api burst=50 nodelay;
-            client_max_body_size ${maxUploadSize};
-          '';
-        };
-
-        # Login endpoint with stricter rate limiting
-        "~ ^/_matrix/client/(r0|v3)/login$" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            limit_req zone=matrix_login burst=3 nodelay;
-          '';
-        };
-
-        # Registration with very strict rate limiting
-        "~ ^/_matrix/client/(r0|v3)/register" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            limit_req zone=matrix_register burst=2 nodelay;
-          '';
-        };
-
-        # Sync endpoint with longer timeout
-        "~ ^/_matrix/client/(r0|v3|unstable)/sync" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            limit_req zone=matrix_api burst=50 nodelay;
+            limit_req zone=matrix burst=100 nodelay;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Real-IP $remote_addr;
             proxy_read_timeout 600s;
-          '';
-        };
-
-        # Media
-        "/_matrix/media" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            limit_req zone=matrix_media burst=100 nodelay;
-            client_max_body_size ${maxUploadSize};
-          '';
-        };
-
-        # Federation
-        "/_matrix/federation" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            limit_req zone=matrix_federation burst=100 nodelay;
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 600s;
             client_max_body_size 50M;
           '';
         };
 
-        "/_matrix/key" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            limit_req zone=matrix_federation burst=50 nodelay;
-          '';
-        };
-
         # Health check
         "= /health" = {
           proxyPass = "http://127.0.0.1:${toString port}";